Directi’s Radix wins .website gTLD auction

Directi-affiliated TLD registry Radix, has won the private auction for the .website gTLD, according to Radix.
The company beat rival portfolio applicants Donuts and Top Level Domain Holdings to the string, in an auction that was managed by Innovative Auctions, likely one of several going on this week.
There’s no outstanding Governmental Advisory Committee advice or objections to the Radix application, so its path to contracting and eventual delegation should be relatively uncontroversial now.
The price was undisclosed, Innovative’s standard terms.
Directi is in the process of being acquired by Endurance International, owner of Domain.com, which promised Radix up to $62 million to help with its gTLD auctions.

Domain.com owner files for $400m IPO, to spend $110m buying Directi

Endurance International, owner of Domain.com and HostGator, plans to raise up to $400 million in a Nasdaq IPO, and said it will spend up to $110 million of that buying Directi, India’s largest domain registrar.
As part of the proposed acquisition, Endurance has also agreed to bankroll Directi’s new gTLD auctions to the tune of $62 million.
The acquisition is not final, and appears to depend on a number of targets related to the IPO and Directi’s revenue performance. Endurance’s S-1 filing with the US Securities and Exchange Commission reads:

In August 2013, we entered into a master share purchase agreement to acquire all of the outstanding capital stock of Directi from Directi Holdings, the seller, for an amount we estimate will be between $100 million and $110 million in cash or, at the election of the seller, a combination of cash and shares of our common stock, subject to the satisfaction or waiver of specified customary closing conditions and the achievement of specified financial targets.

The acquisition would close in the fourth quarter this year.
As well as running a top-ten registrar (and a few dozen others), Directi subsdiary Radix Registry has 29 active new gTLD applications, 26 of which are contested.
Endurance proposes to help Radix win these contention sets. On new gTLD auctions, the S-1 says:

in connection with our proposed acquisition of Directi, we entered into agreements with entities affiliated with Directi Holdings related to participation in the auction of new top level domain extensions and domain monetization activities, pursuant to which, among other things, we may be obligated to make aggregate cash payments of up to a maximum of approximately $62 million, subject to specified terms, conditions and operational contingencies.

Endurance is a complicated company. Its most familiar brands include Domain.com, iPage, FatCow, Homestead, Bluehost, HostGator, A Small Orange, iPower and Dotster.
But since December 2011 it has been controlled and majority owned by Warburg Pincus and Goldman Sachs, which paid a reported $975 million.
Its annual revenue for the last three calendar years has been $87.8 million, $190.3 million and $292.2 million. It’s currently not profitable, recording a net loss of $139.2 million in 2012.
It has seven million domains under management and had 3.4 million customers at the end of June 2013.
Judging by the S-1, the company has over a billion dollars of debt. Directi acquisition excluded, most of its IPO proceeds would go towards paying off some of that debt.

Name collisions comments call for more gTLD delay

The first tranche of responses to Interisle Consulting’s study into the security risks of new gTLDs, and ICANN’s proposal to delay a few hundred strings pending more study, is in.
Comments filed with ICANN before the public comment deadline yesterday fall basically into two camps:

• Non-applicants (mostly) urging ICANN to proceed with extreme caution. Many are asking for more time to study their own networks so they can get a better handle on their own risk profiles.
• Applicants shooting holes in Interisle’s study and ICANN’s remeditation plan. They want ICANN to reclassify everything except .home and .corp as low risk, removing delays to delegation and go-live.

They were responding to ICANN’s decision to delay 521 “uncalculated risk” new gTLD applications by three to six months while further research into the risk of name collisions — where a new gTLD could conflict with a TLD already used by internet users in a non-standard way — is carried out.
Proceed with caution
Many commenters stated that more time is needed to analyse the risks posed by name collisions, noting that Interisle studied primarily the volume of queries for non-existent domains, rather than looking deeply into the consequences of delegating colliding gTLDs.
That was a point raised by applicants too, but while applicants conclude that this lack of data should lead ICANN to lift the current delays, others believe that it means more delays are needed.
Two ICANN constituencies seem to generally agree with the findings of the Interisle report.
The Internet Service Providers and Connectivity Providers constituency asked for the public comment period be put on hold until further research is carried out, or for at least 60 days. It noted:

corporations, ISPs and connectivity providers may bear the brunt of the security and customer-experience issues resulting from adverse (as yet un-analyzed) impacts from name collision
…
these issues, due to their security and customer-experience aspects, fall outside the remit of people who normally participate in the ICANN process, requiring extensive wide-ranging briefings even in corporations that do participate actively in the ICANN process

The At-Large Advisory Committee concurred that the Interisle study does not currently provide enough information to fully gauge the risk of name collisions causing harm.
ALAC said it was “in general concurrence with the proposed risk mitigation actions for the three defined risk categories” anyway, adding:

ICANN must assure that such residual risk is not transferred to third parties such as current registry operators, new gTLD applicants, registrants, consumers and individual end users. In particular, the direct and indirect costs associated with proposed mitigation actions should not have to be borne by registrants, consumers and individual end users. The Board must err on the side of caution

Several individual stakeholders agreed with the ISPCP that they need more time to look at their own networks. The Association of Nation Advertisers said:

Our member companies are working diligently to determine if DNS Clash issues are present within their respective networks. However the ANA had to communicate these issues to hundreds of companies, after which these companies must generate new data to determine the potential service failures on their respective networks.

The ANA wants the public comment period extended until November 22 to give its members more time to gather data.
While the ANA can always be relied upon to ask for new gTLDs to be delayed, its request was echoed by others.
General Electric called for three types of additional research:

• Additional studies of traffic beyond the initial DITL sample.
• Information and analysis of “use cases” — particular types of queries and traffic — and the consequences of the failure of particular use cases to resolve as intended (particular use cases could have severe consequences even if they might occur infrequently — like hurricanes), and
• Studies of the time and costs of mitigation.

GE said more time is needed for companies such as itself to conduct impact analyses on their own internal networks and asked ICANN to not delegate any gTLD until the risk is “fully understood”.
Verizon, Heinz and the American Insurers Association have asked for comment deadline extensions for the same reasons.
The Association of Competitive Technology (which has Verisign as a member) said:

ICANN should slow or temporarily suspend the process of delegating TLDs at risk of causing problems due to their frequency of appearance in queries to the root. While we appreciate the designation of .home and .corp as high risk, there are many other TLDs which will also have a significant destructive effect.

Numerically, there were far more comments criticizing ICANN’s mitigation proposal. All were filed by new gTLD applicants, whose interests are aligned, however.
Most of these comments, which are far more focused on the details and the data, target perceived deficiencies in Interisle’s report and ICANN’s response to it.
Several very good arguments are made.
The Svalbard problem
First, there is criticism of the cut-off point between “low risk” and “uncalculated risk” strings, which some applicants say is “arbitrary”.
That’s mostly true.
ICANN basically took the list of applied-for strings, ordered by the frequency Interisle found they generate NXDOMAIN responses at the root, and drew a line across it at the 49,842 queries mark.
That’s because 49,842 queries is what .sj, the least-frequently-queried real TLD, received over the same period
If your string, despite not yet existing as a gTLD, already gets more traffic than .sj, it’s classed as “uncalculated risk” and faces more delays, according to ICANN’s plan.
As Directi said in its comments:

The result of this arbitrary selection is that .bio (Rank 281) with 50,000 queries (rounded to the nearest thousand) is part of the “uncategorized risk” list, and is delayed by 3 to 6 months, whereas .engineering (Rank 282) with 49,000 queries (rounded to the nearest thousand) is part of the “low risk” list, and can proceed without any significant delays.

What neither ICANN nor Interisle explained is why this is an appropriate place to draw a line in the sand.
This graphic from DotCLUB Domains illustrates the scale of the problem nicely:
.sj is the ccTLD for Svalbard, a Norwegian territory in the Arctic Circle with fewer than 3,000 inhabitants. The TLD is administered by .no registry Norid, but it’s not possible to register domains there.
Does having more traffic than .sj mean a gTLD is automatically more risky? Does having less mean a gTLD is safe? The ICANN proposal assumes “yes” to both questions, but it doesn’t explain why.
Many applicants say that having more traffic than existing gTLDs does not automatically mean your gTLD poses a risk.
They pointed to Verisign data from 2006, which shows that gTLDs such as .xxx and .asia were already receiving large amounts of traffic prior to their delegation. When they were delegated, the sky did not fall. Indeed, there were no reports of significant security and stability problems.
The New gTLD Applicants Group said:

In fact, the least “dangerous” current gTLD on the chart, .sx, had 331 queries per million in 2006. This is a higher density of NXDOMAIN queries than all but five proposed new TLDs. 4 Again, .sx was launched successfully in 2012 with none of the problems predicted in these reports.
These successful delegations alone demonstrate that there is no need to delay any more than the two most risky strings.

Donuts said:

There is no factual basis in the study recommending halting delegation process of 20% of applied-for strings. As the paper itself says, “The Study did not find enough information to properly classify these strings given the short timeline.” Without evidence of actual harm, the TLDs should proceed to delegation. Such was the case with other TLDs such as .XXX and .ASIA, which were delegated without delay and with no problems post-delegation.

Applicants also believe that the release in June 2012 of the list of all 1,930 applied-for strings may have skewed the data set that Interisle used in its study.
Uniregistry, for example, said:

The sole fact that queries are being received at the root level does not itself present a security risk, especially after the release to the public of the list of applied-for strings.

The argument seems to be that a lot of the NXDOMAIN traffic seen in 2013 is due to people and software querying applied-for TLDs to see if they’re live yet.
It’s quite a speculative argument, but it’s somewhat supported by the fact that many applied-for strings received more queries in 2013 than they did in the equivalent 2012 sampling.
Second-level domains
Some applicants pointed out that there may not be a correlation between the volume of traffic a string receives and the number of second-level domains being queried.
A string might get a bazillion queries for a single second-level domain name. If that domain name is reserved by the registry, the risk of a name collision might be completely eliminated.
The Interisle report did show that number of SLDs and the volume of traffic do not correlate.
For example, .hsbc is ranked 14th in terms of traffic volume but saw requests for just 2,000 domains, whereas .inc, which ranked 15th, saw requests for 73,000 domains.
Unfortunately, the Interisle report only published the SLD numbers for the top 35 strings by query volume, leaving most applicants none the wiser about the possible impact of their own strings.
And ICANN did not factor the number of SLDs into its decision about where to draw the line between “low” and “uncalculated” risk.
Conspiracy theories
Some applicants questioned whether the Interisle data itself was reliable, but I find these arguments poorly supported and largely speculative.
They propose that someone (meaning presumably Verisign, which stands to lose market share when new gTLDs go live, and which kicked off the name collisions debate in the first place) could have gamed the study by generating spurious requests for applied-for gTLDs during the period Interisle’s data was being captured.
Some applicants put forth this view, while other limited their comments to a request that future studies rely only on data collected before now, to avoid tampering at the point of collection in future.
NTAG said:

Query counts are very easily gamed by any Internet connected system, allowing for malicious actors to create the appearance of risk for any string that they may object to in the future. It would be very easy to create the impression of a widespread string collision problem with a home Internet connection and the abuse of the thousands of available open resolvers.

While this kind of mischief is a hypothetical possibility, nobody has supplied any evidence that Interisle’s data was manipulated by anyone.
Some people have privately pointed DI to the fact that Verisign made a substantial donation to the DNS-OARC — the group that collected the data that Interisle used in its study — in July.
The implication is that Verisign was somehow able to manipulate the data after it was captured by DNS-OARC.
I don’t buy this either. We’re talking about a highly complex 8TB data set that took Interisle’s computers a week to process on each pass. The data, under the OARC’s deal with the root server operators, is not allowed to leave its premises. It would not be easily manipulated.
Additionally, DNS-OARC is managed by Internet Systems Consortium — which runs the F-root and is Uniregistry’s back-end registry provider — from its own premises in California.
In short, in the absence of any evidence supporting this conspiracy theory, I find the idea that the Interisle data was hacked after it was collected highly improbable.
What next?
I’ve presented only a summary of some key points here. The full list of comments can be found here. The reply period for comments closes September 17.
Several ICANN constituencies that can usually be relied upon to comment on everything (registrars, intellectual property, business and non-commercial) have not yet commented.
Will ICANN extend the deadline? I suppose it depends on how cautious it wants to be, whether it believes the companies requesting the extension really are conducting their own internal collision studies, and how useful it thinks those studies will be.

URS is live today as .pw voluntarily adopts it

Directi has become the first TLD registry to start complying with the Uniform Rapid Suspension process for cybersquatting complaints.
From today, all .pw domain name registrations will be subject to the policy, which enables trademark owners to have domains suspended more quickly and cheaply than with UDRP.
URS was designed, and is obligatory, for all new gTLDs, but Directi decided to adopt the policy along with UDRP voluntarily, to help mitigate abuse in the ccTLD namespace.
URS requirements for gTLD registries have not yet been finalized, but this is moot as they don’t apply to .pw anyway.
To date, only two UDRP complaints have been filed over .pw domains.
The National Arbitration Forum will be handling URS complaints. Instructions for filing can be found here.

Six more LROs kicked out, most for “front-running”

Six more new gTLD Legal Rights Objections, six more rejected objections.
The World Intellectual Property Organization is chewing through its caseload of LROs at a regular pace now, made all the more easier by the fact that a body of precedent is being accumulated.
Objections rejected in decisions published last week cover the gTLDs .home, .song, .yellowpages, .gmbh and .cam.
All but one were thrown out, with slightly different panelist reasoning, because they had engaged in some measure of “front-running” — applying for a trademark just in order to protect a gTLD application.
Here’s a quick summary of each decision, starting with what looks to be the most interesting:
.yellowpages (hibu (UK) v. Telstra)
Last week somebody asked me on Twitter which LROs I thought might actually succeed. I replied:

@ManagingIP Just based on the list of strings and objectors, only .delmonte, .merck and .yellowpages jump out at me.

— Kevin Murphy (@DomainIncite) July 23, 2013

Well, my initial hunch on .yellowpages was wrong, and I think I’m very likely to have been wrong about the other two also.
This case is interesting because it specifically addresses the issue of two matching trademarks happily living side-by-side in the trademark world but clashing horribly in the unique gTLD space.
The objector in this case, hibu, publishes the Yellow Pages phone book in the UK and has a big portfolio of trademarks and case law protecting its brand. If anyone has rights, it’s these guys.
But the “Yellow Pages” brand is used in several countries by several companies. In the US, there’s some case law suggesting that the term is now generic, but that’s not the case in the UK or Australia.
On the receiving end of the objection was the Australian telecoms firm Telstra, which is the publisher of the Aussie version of the Yellow Pages and, luckily for it, the only applicant for .yellowpages.
The British company argued that “no party should be entitled to register the Applied-for gTLD”, due to the potential for confusion between the same brand being owned by different companies in different countries.
The panel concluded that brands will clash in the new gTLD space, and that that’s okay:

It is inherent in the nature of the gTLD regime that those applicants who are granted gTLDs will have first-level power extending throughout the Internet and across jurisdictions. The prospect of coincidence of brand names and a likelihood of confusion exists.
…
The critical issue in this LRO proceeding is whether the Objector’s territorial rights in the term “YELLOW PAGES” (and the prospect of other non-objecting third parties’ territorial right) means that the applicant (or anyone else for that matter) should not be entitled to the Applied-for gTLD.

The panelist uses the eight-criteria test in the Applicant Guidebook to make his decision, but he chose to highlight two words:

the Panel finds that the Objector has failed to establish, as it alleges, that the potential use of the Applied-for gTLD by the applicant… unjustifiably impairs the distinctive character or the reputation of the objector’s mark… or creates an impermissible likelihood of confusion between the applied for gTLD and the Objector’s mark.

Because Telstra has rights to “Yellow Pages” too, and because it’s promising to respect trademark rights at the second level, the panelist concluded that its application should be allowed to proceed.
It’s the third instance of a clash between rights holders in the LRO process and the third time that the WIPO panelist has adopted a laissez faire approach to new gTLDs.
And as I’ve said twice before, if this type of decision becomes the norm — and I think it will — we’re likely to see many more defensive applications for brand names in future new gTLD rounds.
The LRO is not shaping up to be an alternative to applying for a gTLD as a means to defend a legitimate brand. Applying for a gTLD matching your trademark and then fighting through the application process may turn out to be the only way to make sure nobody else gets that gTLD.
.cam (AC Webconnecting Holding v. United TLD Holdco)
Both sides of this case are applicants for .cam. United TLD is a Demand Media subsidiary while AC Webconnecting is a Netherlands-based operator of several webcam-based porn sites.
Like so many other applicants, AC Webconnecting applied for its European trademark registration for “.cam” and a matching logo in December 2011, just before the ICANN application window opened.
The panelist decided that its trademark was acquired in a bona fide fashion, he also decided that the company had not had enough time to build up a “distinctive character” or “reputation” of its marks.
That meant the Demand Media application could not be said to take “unfair advantage” of the marks. The panelist wrote:

Given the relatively short existence of these trademarks, it is unlikely that either [trademark] has developed a reputation.
…
In the Panel’s opinion, replication of a trademark does not, of itself, amount to taking unfair advantage of the trademark – something more is required.
…
the Panel considers that this something more in the present context needs to be along the lines of an act that has a commercial effect on a trademark which is undertaken in bad faith – such as free riding on the goodwill of the trademark, for commercial benefit, in a manner that is contrary to honest commercial practices.

What we’re seeing here is another example of a trademark front-runner losing, and of a panelist indicating that applicants need some kind of bad faith in order to lose and LRO.
.home (Defender Security Company v. DotHome Inc.)
Kicked out for the same reasons as the other Defender objections to rival .home — it was a transparent gaming attempt based on a flimsy, recently acquired trademark. See here and here.
DotHome Inc is the subsidiary Directi/Radix is using to apply for .home.
The decision (pdf) goes into a bit more detail than the other .home decisions we’ve seen to date, including information about how much Defender paid to acquire its trademarks ($75,000) and how many domains its bogus Go Daddy reseller site has sold (three).
.home (Defender Security Company v. Baxter Pike)
Ditto. This time the applicant was a Donuts subsidiary.
.song (DotMusic Limited v. Amazon)
Like the failed .home objections, the .song objection was based on a trademark acquired tactically in late 2012 by Constantine Roussos, whose company, CGR E-Commerce, is applying for .music.
This objection failed (pdf) for the same reasons as the same company’s objection to Amazon’s .tunes application failed last week — a trademark for “.SONG” is simply too generic and descriptive to give DotMusic exclusive rights to the matching gTLD.
Roussos has also filed seven LROs against his competitors for .music, none of which have yet been decided.
.gmbh (TLDDOT GmbH v. InterNetWire Web-Development)
Both objector and respondent here are applicants for .gmbh, which indicates limited liability companies in German-speaking countries.
TLDDOT registered its European trademark in “.gmbh” a few years ago.
Despite the fact that it was obviously acquired purely in order to secure the matching gTLD, the panelist in this case ruled that it was bona fide.
Despite this, the panelist concluded that for InternetWire to operate .gmbh in the generic, dictionary-word sense outlined in its application would not infringe these trademark rights.

This is how stupid the GAC’s new gTLDs advice is (part two)

When Donuts and ICANN signed a new gTLD contract for .游戏, on a stage in front of hundreds of people at ICANN 47 this morning, it made a mockery of the relationship between ICANN and the GAC.
游戏 is the Chinese for “game” or “games”. It was an uncontested application with no objections and, importantly, no Governmental Advisory Committee advice standing in its way.
Donuts got lucky. The six companies that have applied for .game or .games in English are all currently prohibited from entering into contract negotiations with ICANN because they did receive GAC advice.
When the GAC drafted its “Advice on New gTLDs” in Beijing three months ago, it included a long but “non-exhaustive” set of strings that it said needed extra “safeguards” on security and community support.
ICANN has called these strings the “Category 1” list. It’s already been the subject of some strong discussion with the GAC at the meeting in Durban, which kicked off over the weekend.
So was it the GAC’s intention with Category 1 to introduce a language bias into the new gTLD program? Did it intend to give Chinese-script strings special privileges over ASCII-based languages?
If there was a sensible rationale for including .game/.games on the Category 1 list, why didn’t it apply to .游戏?
Or did the GAC simply not give its Beijing advice the care and attention it deserved?
Based on sessions in Durban over the weekend, the latter explanation appears to be closer to the truth.
“Vague and unimplementable”
At session between the GAC and ICANN’s board-level New gTLD Program Committee yesterday, the GAC heard in the strongest terms (within the bounds of polite discourse) how silly its Beijing advice was.
The session kicked off with NGPC member Chris Disspain delivering a witheringly but necessarily blunt assessment of the “Category 1” list and the associated safeguards.
He first noted that ICANN already rejected the GAC’s advice to make certain strings mandatory “community” gTLDs — something that would have had the same effect as the Beijing advice — back in 2011.
The GAC Early Warning system was introduced instead, he said, to give governments the ability to work with or object to applicants for specific strings that they were worried about.
Disspain continued with a catalog of criticisms against the Category 1 advice:

The difficulties we see at the moment are that the categories of strings are broad and undefined. There’s no principled basis for distinguishing certain categories and strings.
Generic terms are in the same category as highly regulated industries. Some strings have segments that are both licensed and unlicensed.
It’s difficult to determine relevant regulatory agencies and self-regulatory organizations. Some strings refer to industries that may be sensitive or regulated in a single or a few jurisdictions only.
The safeguard advice items three to eight create obligations that are vague and unimplementable.
And these are the outcomes that we sought to avoid when we rejected the advice in the first place. And we agreed to put in place the Early Warning system so that governments could deal directly with applicants if they had issues with the string.

He received some push-back from GAC members, some of whom — insisting that the Beijing communique was well-considered and easily understood — appear to be in denial.
“In the end, you should come with us, trying to implement,” the member for Italy said. “Because I’m sure that you well understood the meaning of this Annex 1.”
In response, Disspain reiterated that the NGPC really doesn’t understand what the GAC wants and really doesn’t understand how it came up with the Category 1 list in the first place.
“We’re unclear how we could implement at all some pieces of the advice,” he said. “The issue for us is not so much that there could be other names that could be added to the list but rather there are names that appear on the list that we don’t understand why they’re there in the first place.”
Now what?
Impasse thus reached, much of the discussion during the hour-long session focused on ways to potentially move the process forward, with participants acknowledging they’re in “uncharted territory”.
Switzerland suggested — contrary to what is plainly spelled out in the Applicant Guidebook, which asks the GAC to comment on specific applications — that the GAC didn’t think that its job was to come up with a definitive list of worrying strings. He said:

Initially, we did not think that it’s the task of the GAC to put together a finite list of sensitive strings, but we have been informed that it would be helpful to come up with concrete names.
So don’t take this list as a list that has been worked out over months and years and every TLD has been tested. These are examples, as we identified it in a rather short time.
There might be a few names that are not on the list that you could easily also add. There are some inconsistencies in that sense. But this is not meant to be a finite, absolute list.

The UK rep said he was disappointed with the “negative” tone of the NGPC’s response to the safeguard advice, but also suggested that the next step might be to come up with a proper list of strings.
“I think the next step forward is for the committee to try and prepare a first draft list for consultation with the whole community,” he said. “And we, the governments, we could obviously seize the opportunity to contribute to that consultation.”
The European Commission provided a statement that its representative said represented the views of EU states on the GAC. The statement said that the Beijing list should be an “at-minimum” list.

European GAC members consider the role of the GAC in this discussion is to provide high-level clarifications regarding the Beijing GAC advice rather than precise implementation means.
We would also like to note that the list of sensitive strings provided in the Beijing communique is a non-exhaustive one… meaning the list should be considered an at-minimum list.

What does this all mean for applicants?
Based on yesterday’s hour-long discussion, ICANN can surely be no closer to understanding which applications are affected by the GAC advice and presumably still doesn’t have a clue what some of it means.
This afternoon, during another session in Durban, program manager Christine Willett said that ICANN is using the Category 1 list published in Beijing when deciding which applicants can be contracted with.
“The NGPC is still considering the Category 1 advice and we have no direction or indication from them yet that a definitive list will be created,” she said.
I can’t see it being resolved this week, and inter-sessional meetings are very rare, so we could now be looking at Buenos Aires — November — before any of this gets sorted out.
For applicants who were — it now seems — selected at random to appear on the Beijing list, they’re facing months more delay while applicants that were not included are free to sign registry contracts today.
Is this fair?
Is it fair to allow applicants that were inexplicably excluded from the GAC’s Beijing list to go ahead and contract with ICANN, while others that were inexplicably included are delayed by many more months?
Is it fair that some applications will get bumped up the queue to delegation just because the GAC didn’t spend enough time thinking about its task?
How can ICANN be certain at contracting that any application is free of GAC advice, when the GAC has made it clear that it expects its list of strings to grow?
I asked ICANN CEO Fadi Chehade some of these questions during a press conference this afternoon and he pointed out that there are mechanisms in place in the Registry Agreement to allow future GAC advice to be addressed.
If it indeed the case that Donuts, for example, might have to add some safeguard commitments to its already signed .游戏 contract, why prevent the .game and .games applicants from signing contracts too?
Wouldn’t it be fairer to delay all new gTLD applications, or none at all, rather than relying on a list of strings we now know definitively to be ad hoc and unreliable?

Report names and shames most-abused TLDs

Newish gTLDs .tel and .xxx are among the most secure top-level domains, while .cn and .pw are the most risky.
That’s according to new gTLD services provider Architelos, which today published a report analyzing the prevalence of abuse in each TLD.
Assigning an “abuse per million domains” score to each TLD, the company found .tel the safest with 0 and .cn the riskiest, with a score of 30,406.
Recently relaunched .pw, which has had serious problems with spammers, came in just behind .cn, with a score of 30,151.
Generally, the results seem to confirm that the more tightly controlled the registration process and the more expensive the domain, the less likely it is to see abuse.
Norway’s .no and ICM Registry’s .xxx scored 17 and 27, for example.
Surprisingly, the free ccTLD for Tokelau, .tk, which is now the second-largest TLD in the world, had only 224 abusive domains per million under management, according to the report..
Today’s report ranked TLDs with over 100,000 names under management. Over 90% of the abusive domains used to calculate the scores were related to spam, rather than anything more nefarious.
The data was compiled from Architelos’ NameSentry service, which aggregates abusive URLs from numerous third-party sources and tallies up the number of times each TLD appears.
The methodology is very similar to the one DI PRO uses in TLD Health Check, but Architelos uses more data sources. NameSentry is also designed to automate the remediation workflow for registries.

Plural gTLDs not confusing, says ICANN (and two gotchas proving it wrong)

Dozens of new gTLD applicants will be breathing a sigh of relief this morning as ICANN said it will allow single and plural versions of the same gTLD to co-exist after all.
The decision, made Tuesday by ICANN’s New gTLD Program Committee, affects at least 98 applications. It said:

NGPC has determined that no changes are needed to the existing mechanisms in the Applicant Guidebook to address potential consumer confusion resulting from allowing singular and plural versions of the same string.

It was in response to the Governmental Advisory Committee, which had advised ICANN to “reconsider its decision to allow singular and plural versions of the same strings.”
Because of the wording of the advice, ICANN is able to disagree with the the GAC’s opinion that “singular and plural versions of the string as a TLD could lead to potential consumer confusion” without triggering its bylaws provision that forces it into time-consuming GAC negotiations.
By “reconsidering” plural/singular coexistence and not doing anything, it has stuck to the letter of the advice.
In its reconsideration it reconsiderated whether it should overturn the findings of its independent String Similarity Panel, which did not believe any plural/singular pairs were confusingly visually similar.
It also used the coexistence of second-level plural and singular domains, registered to different people, as evidence that users would not find similar coexistence at the top level confusing.
The decision has potentially far-reaching consequences on the new gTLD program.
First, it could mean that some plural/singular pairs will be allowed to exist while others will not.
There are a handful of formal String Confusion Objections filed by applicants for gTLDs that have singular or plural competitors in the current round.
These string pairs are not currently in contention sets, but if the objectors prevail only one of the strings will survive to delegation.
Other string pairs have no objections and will be allowed to coexist. This may be fair in a sense, but it’s not uniform nor predictable.
(One wonders if the String Confusion Objection arbitration panels will use ICANN’s ruling this week in their own decision-making process, which could open a can of worms.)
Second, I think the decision might encourage bad business practices by registries.
My beef with coexistence
I don’t think coexistence is a wholly terrible idea, but I do think it will have some negative effects, as I’ve expressed in the past.
First, I think it’s going to lead to millions of unnecessary defensive registrations.
And by “defensive” I’m not talking about companies protecting their trademarks. Whether you think they’re adequate or not, trademark owners already have protections in new gTLDs.
I’m talking about regular domain registrants, small businesses, entrepreneurs and so on. These people are going to find themselves buying two domains when they only need one.
Let’s say you’re Mad John’s Autos, and you’re registering madjohn.auto. You get to the checkout and Go Daddy offers you the matching .autos domain. Assuming similar pricing, you’d definitely register it, right?
You’ve always got to assume a certain subset of users will get confused and either wind up at a dead URL or a competitor’s site. It’s simpler just to defensively register both.
What if one was priced a little higher than the other? Maybe you’d still register it. How big would the price differential have to be before you decided not to buy the plural duplicate?
Buying two domains instead of one may not be a huge financial burden to individual registrants, but it’s going to lead to situations where gTLDs exist in symbiotic — or parasitic — pairs.
If you run the .auto registry, you may find that your plural competitor is spending so much on marketing .autos that you don’t need to lift a finger in order to sell millions of domain names.
Just make sure you’re partnered with the same registrars and bingo: you’re up-sell.
Attractive business plan, right? You may disagree, but when ICANN opens the floodgates for the second round of new gTLD applications in a couple years, we’ll find out for sure.
Two gotchas
Defenses of plural/singular gTLD coexistence often come from, unsurprisingly, the portfolio applicants that have applied for them and, presumably, may apply for them in future rounds.
“Singulars and plurals live together now on the [second-level domain] side,” Uniregistry said. “They create healthy competition and do not unduly confuse consumers to the point of annoyance.”
I wouldn’t disagree with that statement. Plural/singular coexistence may not confuse internet users to the point of danger or annoyance. But, I would argue, they do make people buy more domain names than they need to.
If you were buying autos.com today you’d definitely definitely buy auto.com as well and redirect it to autos.com. You’d be an idiot not too.
When I put this to Uniregistry execs privately several weeks ago, they disagreed with me. Nobody would bother with such duplicative/defensive domains, they said.
In response, I asked, cheekily: so why do you own uniregistries.com, redirecting it to uniregistry.com?
Another portfolio applicant, Donuts, also didn’t like the idea of plurals and singulars being mutually exclusive, according to this CircleID article. It doesn’t think they’re confusingly similar.
Yet a press release put out by the company last month accidentally said it planned to put its application for .apartment to auction.
The problem is that Donuts hasn’t applied for .apartment, it has applied for .apartments.
I feel rotten for highlighting a simple typo by a fellow media professional (I make enough of those) but isn’t that what we’re often talking about when discussing confusing similarity? Typos?
If the registry can get confused by its own applied-for strings, doesn’t that mean internet users will as well?
Oh, I’m a cybersquatter
Interestingly, ICANN’s belief that plurals are not confusing appears to be institutional.
At least, I discovered this morning that icanns.org, the plural of its primary domain, was available for registration.
So I bought it.
Let’s see how much traffic it gets.
If I get hit by a UDRP, that could be interesting too.

ICANN offers to split the cost of GAC “safeguards” with new gTLD registries

All new gTLD applicants will have to abide by stricter rules on security and Whois accuracy under government-mandated changes to their contracts approved by the ICANN board.
At least one of the new obligations is likely to laden new gTLDs registries with additional ongoing costs. In another case, ICANN appears ready to shoulder the financial burden instead.
The changes are coming as a result of ICANN’s New gTLD Program Committee, which on on Tuesday voted to adopt six more pieces of the Governmental Advisory Committee’s advice from March.
This chunk of advice, which deals exclusively with security-related issues, was found in the GAC’s Beijing communique (pdf) under the heading “Safeguards Applicable to all New gTLDs”.
Here’s what ICANN has decided to do about it.
Mandatory Whois checks
The GAC wanted all registries to conduct mandatory checks of Whois data at least twice a year, notifying registrars about any “inaccurate or incomplete records” found.
Many new gTLD applicants already offered to do something similar in their applications.
But ICANN, in response to the GAC advice, has volunteered to do these checks itself. The NGPC said:

ICANN is concluding its development of a WHOIS tool that gives it the ability to check false, incomplete or inaccurate WHOIS data
…
Given these ongoing activities, ICANN (instead of Registry Operators) is well positioned to implement the GAC’s advice that checks identifying registrations in a gTLD with deliberately false, inaccurate or incomplete WHOIS data be conducted at least twice a year. To achieve this, ICANN will perform a periodic sampling of WHOIS data across registries in an effort to identify potentially inaccurate records.

While the resolution is light on detail, it appears that new gTLD registries may well be taken out of the loop completely, with ICANN notifying their registrars instead about inaccurate Whois records.
It’s not the first time ICANN has offered to shoulder potentially costly burdens that would otherwise encumber registry operators. It doesn’t get nearly enough credit from new gTLD applicants for this.
Contractually banning abuse
The GAC wanted new gTLD registrants contractually forbidden from doing bad stuff like phishing, pharming, operating botnets, distributing malware and from infringing intellectual property rights.
These obligations should be passed to the registrants by the registries via their contracts with registrars, the GAC said.
ICANN’s NGPC has agreed with this bit of advice entirely. The base new gTLD Registry Agreement is therefore going to be amended to include a new mandatory Public Interest Commitment reading:

Registry Operator will include a provision in its Registry-Registrar Agreement that requires Registrars to include in their Registration Agreements a provision prohibiting Registered Name Holders from distributing malware, abusively operating botnets, phishing, piracy, trademark or copyright infringement, fraudulent or deceptive practices, counterfeiting or otherwise engaging in activity contrary to applicable law, and providing (consistent with applicable law and any related procedures) consequences for such activities including suspension of the domain name.

The decision to include it as a Public Interest Commitment, rather than building it into the contract proper, is noteworthy.
PICs will be subject to a Public Interest Commitment Dispute Resolution Process (PICDRP) which allows basically anyone to file a complaint about a registry suspected of breaking its commitments.
ICANN would act as the enforcer of the ruling, rather than the complainant. Registries that lose PICDRP cases face consequences up to an including the termination of their contracts.
In theory, by including the GAC’s advice as a PIC, ICANN is handing a loaded gun to anyone who might want to shoot down a new gTLD registry in future.
However, the proposed PIC language seems to be worded in such a way that the registry would only have to include the anti-abuse provisions in its contract in order to be in compliance.
Right now, the way the PIC is worded, I can’t see a registry getting terminated or otherwise sanctioned due to a dispute about an instance of copyright infringement by a registrant, for example.
I don’t think there’s much else to get excited about here. Every registry or registrar worth a damn already prohibits its customers from doing bad stuff, if only to cover their own asses legally and keep their networks clean; ICANN merely wants to formalize these provisions in its chain of contracts.
Actually fighting abuse
The third through sixth pieces of GAC advice approved by ICANN this week are the ones that will almost certainly add to the cost of running a new gTLD registry.
The GAC wants registries to “periodically conduct a technical analysis to assess whether domains in its gTLD are being used to perpetrate security threats such as pharming, phishing, malware, and botnets.”
It also wants registries to keep records of what they find in these analyses, to maintain a complaints mechanism, and to shut down any domains found to be perpetrating abusive behavior.
ICANN has again gone the route of adding a new mandatory PIC to the base Registry Agreement. It reads:

Registry Operator will periodically conduct a technical analysis to assess whether domains in the TLD are being used to perpetrate security threats, such as pharming, phishing, malware, and botnets. Registry Operator will maintain statistical reports on the number of security threats identified and the actions taken as a result of the periodic security checks. Registry Operator will maintain these reports for the term of the Agreement unless a shorter period is required by law or approved by ICANN, and will provide them to ICANN upon request.

You’ll notice that the language is purposefully vague on how registries should carry out these checks.
ICANN said it will convene a task force or GNSO policy development process to figure out the precise details, enabling new gTLD applicants to enter into contracts as soon as possible.
It means, of course, that applicants could wind up signing contracts without being fully apprised of the cost implications. Fighting abuse costs money.
There are dozens of ways to scan TLDs for abusive behavior, but the most comprehensive ones are commercial services.
ICM Registry, for example, decided to pay Intel/McAfee millions of dollars — a dollar or two per domain, I believe — for it to run daily malware scans of the entire .xxx zone.
More recently, Directi’s .PW Registry chose to sign up to Architelos’ NameSentry service to monitor abuse in its newly relaunched ccTLD.
There’s going to be a fight about the implementation details, but one way or the other the PIC would make registries scan their zones for abuse.
What the PIC does not state, and where it may face queries from the GAC as a result, is what registries must do when they find abusive behavior in their gTLDs. There’s no mention of mandatory domain name suspension, for example.
But in an annex to Tuesday’s resolution, ICANN’s NGPC said the “consequences” part of the GAC advice would be addressed as part of the same future technical implementation discussions.
In summary, the NGPC wants registries to be contractually obliged to contractually oblige their registrars to contractually oblige their registrants to not do bad stuff, but there are not yet any obligations relating to the consequences, to registrants, of ignoring these rules.
This week’s resolutions are the second big batch of decisions ICANN has taken regarding the GAC’s Beijing communique.
Earlier this month, it accepted some of the GAC’s direct advice related to certain specific gTLDs it has a problem with, the RAA and intergovernmental organizations and pretended to accept other advice related to community objections.
The NGPC has yet to address the egregiously incompetent “Category 1” GAC advice, which was the subject of a public comment period.

Directi launches pre-reg site for .host gTLD

Directi is to offer preregistration for its uncontested gTLD applications, and it’s starting with .host.
The company will accept expressions of interest from potential registrants from June 17, where it has a booth at the HostingCon show in Austin, Texas, according to business head Sandeep Ramchandani.
Directi’s other two uncontested bids — .press and .space — will also get preregistration pages.
It’s the usual pre-reg deal: free and no-obligation.
While .host has not yet passed its Initial Evaluation, the company’s other applications have has a smooth ride so far so it’s a pretty reasonable assumption that this one will also pass.
The bid also has no objections and no special Governmental Advisory Committee advice.
While preregistration services have proved controversial in the past, they’re becoming increasingly common as new gTLDs start thinking about what a crowded market they’re walking into.